thymeleaf-spring icon indicating copy to clipboard operation
thymeleaf-spring copied to clipboard

Published 20 hours ago verified publisher icon thymeleaf

Thymeleaf CSRF injection can break session handling

Open benjohnde opened this issue 5 years ago • 0 comments

Configuration

Environment: Spring-Boot 2.1.9 with Thymeleaf 2.1.9.

Problem

The following error: Cannot create a session after the response has been committed occurred while handling parallel requests with SessionCreationPolicy.ifRequired (default).

Solution

Setting SessionCreationPolicy to always fixes the problem.

We assume that the automatic injection of the csrf token into a form (handled during template rendering with Thymeleaf) leads to a race condition which sometimes will be persisted after the response chain is executed. Thus no session for persisting the csrf token. We are not quite sure whether this is a bug of Thymeleaf, Spring-Boot or the pure Spring-Security framework.

Nonetheless as we assume that this bug may occur to multiple organisation we want to raise awareness of such an issue.

benjohnde avatar Jan 07 '20 13:01 benjohnde